Of the following, who should be PRIMARILY accountable for creating an organization's privacy management strategy?
Correct Answer: D
Some organizations, typically those that manage large amounts of personal information related to employees, customers, or constituents, will employ a chief privacy officer (CPO). Some organizations have a CPO because applicable regulations such as the Gramm-Leach-Bliley Act (GLBA) require it. Other regulations such as the Health Information Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the GLBA place a slate of responsibilities upon an organization that compels them to hire an executive responsible for overseeing compliance.
Question 82
Which encryption method encrypts and decrypts data using two separate yet mathematically connected cryptographic keys?
Correct Answer: C
Explanation Asymmetric encryption, also known as public-key encryption, encrypts and decrypts data using two separate yet mathematically connected cryptographic keys. One key is called the public key and can be shared with anyone, while the other key is called the private key and must be kept secret. The public key is used to encrypt the data, and only the corresponding private key can decrypt it. Likewise, the private key can be used to sign the data, and only the corresponding public key can verify it. This method provides confidentiality, integrity, authentication and non-repudiation for data. References: CDPSE Review Manual, 2021, p. 117
Question 83
Which of the following BEST supports an organization's efforts to create and maintain desired privacy protection practices among employees?
Correct Answer: B
Explanation Awareness campaigns are initiatives that aim to educate and inform employees about the importance of privacy protection, the organization's privacy policies and procedures, the applicable laws and regulations, and the best practices and behaviors to safeguard personal data. Awareness campaigns can support an organization's efforts to create and maintain desired privacy protection practices among employees by raising their awareness, understanding and commitment to privacy, as well as by influencing their attitudes, values and culture. Awareness campaigns can use various methods and channels, such as posters, newsletters, videos, webinars, quizzes, games or events, to deliver consistent and engaging messages to the target audience. The other options are not the best ways to support an organization's efforts to create and maintain desired privacy protection practices among employees. Skills training programs are focused on developing specific technical or functional skills related to privacy, but they may not address the broader aspects of privacy awareness or culture. Performance evaluations are focused on measuring and rewarding individual or team performance based on predefined criteria or objectives, but they may not reflect the actual level of privacy awareness or practice. Code of conduct principles are focused on establishing and enforcing ethical standards and rules of behavior for employees, but they may not be sufficient to create or maintain privacy awareness or practice without effective communication and education1, p. 103-104 References: 1: CDPSE Review Manual (Digital Version)
Question 84
Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?
Correct Answer: A
Explanation Cryptographic erasure is a data sanitization method that uses encryption to render data unreadable and unrecoverable. It is the best method when there is a need to balance the destruction of data and the ability to recycle IT assets, because it does not damage the storage media and allows it to be reused or sold. It is also faster and more environmentally friendly than physical destruction methods. References: * ISACA Certified Data Privacy Solutions Engineer (CDPSE) Exam Content Outline, Domain 2: Privacy Architecture, Task 2.4: Implement data sanitization methods to ensure data privacy and security, Subtask 2.4.1: Select appropriate data sanitization methods based on the type of data and storage media. * What is Data Sanitization? | Data Erasure Methods | Imperva
Question 85
What is the BEST method to protect customers' personal data that is forwarded to a central system for analysis?
Correct Answer: A
Explanation Pseudonymization is a technique that replaces direct identifiers in a data set with pseudonyms or artificial identifiers that do not reveal the identity of the data subjects. Pseudonymization is the best method to protect customers' personal data that is forwarded to a central system for analysis, as it reduces the linkability of the data set with the original identity of the customers and thus enhances the privacy and security of the data. Pseudonymization also preserves some characteristics or patterns of the original data that can be used for analysis or research purposes, without compromising the accuracy or quality of the results. The other options are not as effective as pseudonymization in protecting customers' personal data that is forwarded to a central system for analysis. Deletion is a technique that removes or destroys data from a storage device or media to prevent unauthorized access or recovery of the data, but it does not allow for any analysis or research purposes. Encryption is a technique that transforms plain text data into cipher text using an algorithm and a key, making it unreadable by unauthorized parties, but it does not reduce the linkability of the data set with the original identity of the customers and may require additional security measures to protect the encryption keys or certificates. Anonymization is a technique that removes or modifies all identifiers in a data set to prevent or limit the identification of the data subjects, but it may affect the accuracy or quality of the analysis or research results, as some characteristics or patterns of the original data may be lost or distorted1, p. 74-75 References: 1: CDPSE Review Manual (Digital Version)
